]> git.saurik.com Git - apple/security.git/blob - SecurityServer/acls.cpp
Security-30.1.tar.gz
[apple/security.git] / SecurityServer / acls.cpp
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // acls - SecurityServer ACL implementation
21 //
22 #include "acls.h"
23 #include "connection.h"
24 #include "server.h"
25 #include "SecurityAgentClient.h"
26 #include <Security/acl_any.h>
27 #include <Security/acl_password.h>
28 #include <Security/acl_threshold.h>
29
30
31 //
32 // SecurityServerAcl is virtual
33 //
34 SecurityServerAcl::~SecurityServerAcl()
35 { }
36
37
38 //
39 // Each SecurityServerAcl type must provide some indication of a database
40 // it is associated with. The default, naturally, is "none".
41 //
42 const Database *SecurityServerAcl::relatedDatabase() const
43 { return NULL; }
44
45
46 //
47 // Provide environmental information to get/change-ACL calls.
48 // Also make them virtual so our children can override them.
49 //
50 void SecurityServerAcl::cssmGetAcl(const char *tag, uint32 &count, AclEntryInfo * &acls)
51 {
52 instantiateAcl();
53 return ObjectAcl::cssmGetAcl(tag, count, acls);
54 }
55
56 void SecurityServerAcl::cssmGetOwner(AclOwnerPrototype &owner)
57 {
58 instantiateAcl();
59 return ObjectAcl::cssmGetOwner(owner);
60 }
61
62 void SecurityServerAcl::cssmChangeAcl(const AclEdit &edit, const AccessCredentials *cred)
63 {
64 instantiateAcl();
65 SecurityServerEnvironment env(*this);
66 ObjectAcl::cssmChangeAcl(edit, cred, &env);
67 noticeAclChange();
68 }
69
70 void SecurityServerAcl::cssmChangeOwner(const AclOwnerPrototype &newOwner,
71 const AccessCredentials *cred)
72 {
73 instantiateAcl();
74 SecurityServerEnvironment env(*this);
75 ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
76 noticeAclChange();
77 }
78
79
80 //
81 // Modified validate() methods to connect all the conduits...
82 //
83 void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred) const
84 {
85 SecurityServerEnvironment env(*this);
86 ObjectAcl::validate(auth, cred, &env);
87 }
88
89 void SecurityServerAcl::validate(AclAuthorization auth, const Context &context) const
90 {
91 validate(auth,
92 context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS));
93 }
94
95
96 //
97 // This function decodes the "special passphrase samples" that provide passphrases
98 // to the SecurityServer through ACL sample blocks. Essentially, it trolls a credentials
99 // structure's samples for the special markers, resolves anything that contains
100 // passphrases outright (and returns true), or returns false if the normal interactive
101 // procedures are to be followed.
102 // (This doesn't strongly belong to the SecurityServerAcl class, but doesn't really have
103 // a better home elsewhere.)
104 //
105 bool SecurityServerAcl::getBatchPassphrase(const AccessCredentials *cred,
106 CSSM_SAMPLE_TYPE neededSampleType, CssmOwnedData &passphrase)
107 {
108 if (cred) {
109 // check all top-level samples
110 const SampleGroup &samples = cred->samples();
111 for (uint32 n = 0; n < samples.length(); n++) {
112 TypedList sample = samples[n];
113 if (!sample.isProper())
114 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
115 if (sample.type() == neededSampleType) {
116 sample.snip();
117 if (!sample.isProper())
118 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
119 switch (sample.type()) {
120 case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
121 return false;
122 case CSSM_SAMPLE_TYPE_PASSWORD:
123 if (sample.length() != 2)
124 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
125 passphrase = sample[1];
126 return true;
127 default:
128 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
129 }
130 }
131 }
132 }
133 return false;
134 }
135
136
137 //
138 // Implement our environment object
139 //
140 uid_t SecurityServerEnvironment::getuid() const
141 {
142 return Server::connection().process.uid();
143 }
144
145 gid_t SecurityServerEnvironment::getgid() const
146 {
147 return Server::connection().process.gid();
148 }
149
150 pid_t SecurityServerEnvironment::getpid() const
151 {
152 return Server::connection().process.pid();
153 }
154
155 bool SecurityServerEnvironment::verifyCodeSignature(const CodeSigning::Signature *signature)
156 {
157 return Server::connection().process.verifyCodeSignature(signature);
158 }